Hello,
i have a FortiGate 60E (v5.6.3 build1547 (GA)) and i want to kick clients out of my network after 30 mins, and i don't want them to reconnect until 24 hour is passed.
any advice?
Thanks in advance.
Solved! Go to Solution.
Hi ahmadswelem, well :) I was thinking of some custom RADIUS server in python. There is excellent python-pyrad library, which you can take a look at. I have already written some smaller projects with it, so I can only recommend it. With it, you can simply create custom RADIUS server, you need just take care of passwords, and the logic of denying to accept user. It can be even quite interesting project, if you won't keep it simple :-) If you maintain passwords db on some other RADIUS server, you can eventually write some RADIUS proxy, using pyrad too. Doing the same with LDAP would be more difficult, in that case I would recommend to write it in RADIUS and handle backend authentication towards LDAP server. Quite simple, but not too simple.
Good luck,
Fishbone)(
smithproxy hacker - www.smithproxy.org
Hello,
this is not standard function of Fortigate. The first part is easy, you can specify in user settings 30 minutes timeout, and 'set auth-timeout-type hard-timeout'.
However to make them unable to login again for next 24 hours is not possible with FortiGate only.
I can imagine you can do some creative scripting to make work something like this, but I am not quite sure if you are looking for such a kind of solution.
F)(
smithproxy hacker - www.smithproxy.org
If it's was a IPS driven-event you could maybe write a signature witha trigger and then set a quarantine value , but the OP needs to explain what he/she is trying to do?
is this a fw user ( admin ) or a network user ?
Ken
PCNSE
NSE
StrongSwan
Hi Emnoc,
this is a network user.
Hi ahmadswelem, well :) I was thinking of some custom RADIUS server in python. There is excellent python-pyrad library, which you can take a look at. I have already written some smaller projects with it, so I can only recommend it. With it, you can simply create custom RADIUS server, you need just take care of passwords, and the logic of denying to accept user. It can be even quite interesting project, if you won't keep it simple :-) If you maintain passwords db on some other RADIUS server, you can eventually write some RADIUS proxy, using pyrad too. Doing the same with LDAP would be more difficult, in that case I would recommend to write it in RADIUS and handle backend authentication towards LDAP server. Quite simple, but not too simple.
Good luck,
Fishbone)(
smithproxy hacker - www.smithproxy.org
He might want to look at freeradius or a commercial radius solution like Alepo. This concept for forced used sessions by time/bytes/etc...is how pay-by usage service providers do ( HOTEL HOTsPOT/Dialup/etc...)
I would write it by time and disable the account for 24 hours before re-enabling.
Ken
PCNSE
NSE
StrongSwan
Hi Fishbone,
this is quit interesting, i needed something fast to work on.
as soon as i finish my current task i will dig into it more :) .
Thanks for the tip Buddy.
Hi Fishbone,
thank you for the tip, as for the authentication part i will apply it since it make sense.
if i found something for the second part i will post it here :) .
Thanks a lot.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.